Fail2ban: Difference between revisions
		
		
		
		Jump to navigation
		Jump to search
		
| No edit summary | |||
| (15 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| [[Configuration#Fail2ban|Back]]<br> | |||
|   Install fail2ban |   Install fail2ban | ||
|   # yum install fail2ban -y<br> |   # yum install fail2ban -y<br> | ||
|   Create the filter definition files in filter.d |   Create the filter definition files in filter.d | ||
|   # cat >/etc/fail2ban/filter.d/ |   # cat >/etc/fail2ban/filter.d/qt-smtp-authnotavail.conf << EOL | ||
|   [Definition] |   [Definition] | ||
|   #Looks for failed auth outside TLS to SMTP |   #Looks for failed auth outside TLS to SMTP | ||
| Line 8: | Line 9: | ||
|   ignoreregex = |   ignoreregex = | ||
|   EOL<br> |   EOL<br> | ||
|   # cat >/etc/fail2ban/filter.d/ |   # cat >/etc/fail2ban/filter.d/qt-smtps-passfail.conf<< EOL | ||
|   [Definition] |   [Definition] | ||
|   #Looks for failed password logins to SMTP |   #Looks for failed password logins to SMTP | ||
| Line 14: | Line 15: | ||
|   ignoreregex = |   ignoreregex = | ||
|   EOL<br> |   EOL<br> | ||
|   # cat >/etc/fail2ban/filter.d/ |   # cat >/etc/fail2ban/filter.d/qt-smtps-usernotfound.conf<< EOL | ||
|   [Definition] |   [Definition] | ||
|   failregex = vchkpw-smtps: vpopmail user not found .*:<HOST> |   failregex = vchkpw-smtps: vpopmail user not found .*:<HOST> | ||
|   ignoreregex = |   ignoreregex = | ||
|   EOL<br> |   EOL<br> | ||
|   # cat >/etc/fail2ban/filter.d/ |   # cat >/etc/fail2ban/filter.d/qt-sub-passfail.conf<< EOL | ||
|   [Definition] |   [Definition] | ||
|   failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST> |   failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST> | ||
|   ignoreregex = |   ignoreregex = | ||
|   EOL<br> |   EOL<br> | ||
|   # cat >/etc/fail2ban/filter.d/ |   # cat >/etc/fail2ban/filter.d/qt-sub-usernotfound.conf<< EOL | ||
|   [Definition] |   [Definition] | ||
|   failregex = vchkpw-submission: vpopmail user not found .*:<HOST> |   failregex = vchkpw-submission: vpopmail user not found .*:<HOST> | ||
| Line 31: | Line 32: | ||
|   Create jail.local |   Create jail.local | ||
|   # cat >>/etc/fail2ban/jail.d/jail.local << EOL |   # cat >>/etc/fail2ban/jail.d/jail.local << EOL | ||
|   [ |   [qt-sub-passfail] | ||
|   enabled = true |   enabled = true | ||
|   filter  =  |   filter  = qt-sub-passfail | ||
|   action  = iptables[name= |   action  = iptables[name=QT-SUB-PASSFAIL, port=587, protocol=tcp] | ||
|   logpath = /var/log/maillog |   logpath = /var/log/maillog | ||
|   maxretry = 3 |   maxretry = 3 | ||
| Line 40: | Line 41: | ||
|   findtime = 3600 |   findtime = 3600 | ||
|   backend = auto<br> |   backend = auto<br> | ||
|   [ |   [qt-sub-usernotfound] | ||
|   enabled = true |   enabled = true | ||
|   filter  =  |   filter  = qt-sub-usernotfound | ||
|   action  = iptables[name= |   action  = iptables[name=QT-SUB-USERNOTFOUND, port=587, protocol=tcp] | ||
|   logpath = /var/log/maillog |   logpath = /var/log/maillog | ||
|   maxretry = 3 |   maxretry = 3 | ||
| Line 49: | Line 50: | ||
|   findtime = 3600 |   findtime = 3600 | ||
|   backend = auto<br> |   backend = auto<br> | ||
|   [ |   [qt-smtps-passfail] | ||
|   enabled  = true |   enabled  = true | ||
|   filter   =  |   filter   = qt-smtps-passfail | ||
|   action   = iptables[name= |   action   = iptables[name=QT-SMTPS-PASSFAIL, port=465, protocol=tcp] | ||
|   logpath  = /var/log/maillog |   logpath  = /var/log/maillog | ||
|   maxretry = 3 |   maxretry = 3 | ||
| Line 58: | Line 59: | ||
|   findtime = 3600 |   findtime = 3600 | ||
|   backend = auto<br> |   backend = auto<br> | ||
|   [ |   [qt-smtps-usernotfound] | ||
|   enabled = true |   enabled = true | ||
|   filter =  |   filter = qt-smtps-usernotfound | ||
|   action = iptables[name= |   action = iptables[name=QT-SMTPS-USERNOTFOUND, port=465, protocol=tcp] | ||
|   logpath = /var/log/maillog |   logpath = /var/log/maillog | ||
|   maxretry = 3 |   maxretry = 3 | ||
| Line 67: | Line 68: | ||
|   findtime = 3600 |   findtime = 3600 | ||
|   backend = auto<br> |   backend = auto<br> | ||
|   [ |   [qt-smtp-authnotavail] | ||
|   enabled = true |   enabled = true | ||
|   filter =  |   filter = qt-smtp-authnotavail | ||
|   action = iptables[name= |   action = iptables[name=QT-SMTP-AUTHNOTAVAIL, port=25, protocol=tcp] | ||
|   logpath = /var/log/qmail/smtptx/current |   logpath = /var/log/qmail/smtptx/current | ||
|   maxretry = 3 |   maxretry = 3 | ||
|   bantime = 86400 |   bantime = 86400 | ||
|   findtime = 300 |   findtime = 300 | ||
|   backend = auto |   backend = auto | ||
|   EOL |   EOL | ||
|   In order to log SMTPTX (transactions) do the following: | |||
|   In order to log  | |||
|    1) # qmailctl stop |    1) # qmailctl stop | ||
|    2) Add 'SMTP_DEBUG="1"' to /etc/tcprules.d/tcp.smtp   |    2) Add 'SMTP_DEBUG="1"' to /etc/tcprules.d/tcp.smtp   | ||
|    3) Replace contents of '/var/qmail/supervise/smtp/log/run' script with below to log transactions to different file:   |    3) Replace contents of '/var/qmail/supervise/smtp/log/run' script with below to log transactions to different file:<span style="color:red"> | ||
|        #!/bin/sh |        #!/bin/sh | ||
|        LOGSIZE=`cat /var/qmail/control/logsize` |        LOGSIZE=`cat /var/qmail/control/logsize` | ||
| Line 89: | Line 89: | ||
|          /usr/bin/multilog t s$LOGSIZE n$LOGCOUNT \ |          /usr/bin/multilog t s$LOGSIZE n$LOGCOUNT \ | ||
|          '-*' '+@* server:[*' '+@* client:[*' /var/log/qmail/smtptx \ |          '-*' '+@* server:[*' '+@* client:[*' /var/log/qmail/smtptx \ | ||
|          '+*' '-@* server:[*' '-@* client:[*' /var/log/qmail/smtp 2>&1 |          '+*' '-@* server:[*' '-@* client:[*' /var/log/qmail/smtp 2>&1</span> | ||
|    4) # qmailctl start && qmailctl cdb |    4) # qmailctl start && qmailctl cdb | ||
|    5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal |    5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal | ||
| Line 99: | Line 99: | ||
|   # tee -a /usr/local/bin/f2bstat<<EOL |   # tee -a /usr/local/bin/f2bstat<<EOL | ||
|   #!/bin/bash |   #!/bin/bash | ||
|   for  |   for JAIL in qt-sub-passfail \\ | ||
|              qt-sub-usernotfound \\ | |||
|              qt-smtps-passfail \\ | |||
|              qt-smtps-usernotfound \\ | |||
|              qt-smtp-authnotavail | |||
|   do |   do | ||
|      fail2ban-client status \$ |      fail2ban-client status \$JAIL | ||
|      echo "" |      echo "" | ||
|   done |   done | ||
| Line 113: | Line 113: | ||
|   # chmod 755 /usr/local/bin/f2bstat && f2bstat |   # chmod 755 /usr/local/bin/f2bstat && f2bstat | ||
|   qt-sub-passfail:<br> | |||
|   Status for the jail:  |   Status for the jail: qt-sub-passfail | ||
|   |- Filter |   |- Filter | ||
|   |  |- Currently failed: 1 |   |  |- Currently failed: 1 | ||
| Line 124: | Line 124: | ||
|      `- Banned IP list: |      `- Banned IP list: | ||
|   qt-sub-usernotfound:<br> | |||
|   Status for the jail: qmail-submission-usernotfound |   Status for the jail: qmail-submission-usernotfound | ||
|   |- Filter |   |- Filter | ||
| Line 135: | Line 135: | ||
|      `- Banned IP list: |      `- Banned IP list: | ||
|   qt-smtps-passfail:<br> | |||
|   Status for the jail: qmail-smtps-passfail |   Status for the jail: qmail-smtps-passfail | ||
|   |- Filter |   |- Filter | ||
| Line 146: | Line 146: | ||
|      `- Banned IP list: |      `- Banned IP list: | ||
|   qt-smtps-usernotfound:<br> | |||
|   Status for the jail: qmail-smtps-usernotfound |   Status for the jail: qmail-smtps-usernotfound | ||
|   |- Filter |   |- Filter | ||
| Line 157: | Line 157: | ||
|      `- Banned IP list:   5.34.207.174 212.70.149.72 |      `- Banned IP list:   5.34.207.174 212.70.149.72 | ||
|   qt-smtp-authnotavail:<br> | |||
|   Status for the jail: qmail-smtp-authnotavail |   Status for the jail: qmail-smtp-authnotavail | ||
|   |- Filter |   |- Filter | ||
| Line 171: | Line 171: | ||
| == Basic commands == | == Basic commands == | ||
| * Check banned IPs: | * Check banned IPs: | ||
|  Format: fail2ban-client get 'jail' banned | |||
|    # fail2ban-client get qt-smtp-authnotavail banned | |||
|    ['xxx.xxx.xxx.xxx', 'yyy.yyy.yyy.yyy',...,] | |||
| * How to unblock an IP(s): | * How to unblock an IP(s): | ||
|  Format: fail2ban-client set 'jail' unbanip xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy ... | |||
|    # fail2ban-client set qt-smtp-authnotavail unbanip 192.168.1.105 192.168.1.112 192.168.1.119 | |||
|    3 | |||
| * How to block an IP(s): | * How to block an IP(s): | ||
|  Format: fail2ban-client set 'jail' unbanip xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy ... | |||
|    # fail2ban-client set qt-smtp-authnotavail banip 192.168.9.105 192.168.1.112 192.168.1.119 | |||
|    3 | |||
| * Help: | |||
|    # fail2ban-client -h | |||
| == References == | == References == | ||
| [1] fail2ban homepage: http://www.fail2ban.org | [1] fail2ban homepage: http://www.fail2ban.org | ||
Latest revision as of 10:13, 19 October 2024
Install fail2ban # yum install fail2ban -y
Create the filter definition files in filter.d # cat >/etc/fail2ban/filter.d/qt-smtp-authnotavail.conf << EOL [Definition] #Looks for failed auth outside TLS to SMTP failregex = 503 auth not available \(\#5\.3\.3\) - <HOST> ignoreregex = EOL
# cat >/etc/fail2ban/filter.d/qt-smtps-passfail.conf<< EOL [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST> ignoreregex = EOL
# cat >/etc/fail2ban/filter.d/qt-smtps-usernotfound.conf<< EOL [Definition] failregex = vchkpw-smtps: vpopmail user not found .*:<HOST> ignoreregex = EOL
# cat >/etc/fail2ban/filter.d/qt-sub-passfail.conf<< EOL [Definition] failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST> ignoreregex = EOL
# cat >/etc/fail2ban/filter.d/qt-sub-usernotfound.conf<< EOL [Definition] failregex = vchkpw-submission: vpopmail user not found .*:<HOST> ignoreregex = EOL
Create jail.local # cat >>/etc/fail2ban/jail.d/jail.local << EOL [qt-sub-passfail] enabled = true filter = qt-sub-passfail action = iptables[name=QT-SUB-PASSFAIL, port=587, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600 backend = auto
[qt-sub-usernotfound] enabled = true filter = qt-sub-usernotfound action = iptables[name=QT-SUB-USERNOTFOUND, port=587, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600 backend = auto
[qt-smtps-passfail] enabled = true filter = qt-smtps-passfail action = iptables[name=QT-SMTPS-PASSFAIL, port=465, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600 backend = auto
[qt-smtps-usernotfound] enabled = true filter = qt-smtps-usernotfound action = iptables[name=QT-SMTPS-USERNOTFOUND, port=465, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600 backend = auto
[qt-smtp-authnotavail] enabled = true filter = qt-smtp-authnotavail action = iptables[name=QT-SMTP-AUTHNOTAVAIL, port=25, protocol=tcp] logpath = /var/log/qmail/smtptx/current maxretry = 3 bantime = 86400 findtime = 300 backend = auto EOL
In order to log SMTPTX (transactions) do the following:
 1) # qmailctl stop
 2) Add 'SMTP_DEBUG="1"' to /etc/tcprules.d/tcp.smtp 
 3) Replace contents of '/var/qmail/supervise/smtp/log/run' script with below to log transactions to different file:
     #!/bin/sh
     LOGSIZE=`cat /var/qmail/control/logsize`
     LOGCOUNT=`cat /var/qmail/control/logcount`
     exec /usr/bin/setuidgid qmaill \
       /usr/bin/multilog t s$LOGSIZE n$LOGCOUNT \
       '-*' '+@* server:[*' '+@* client:[*' /var/log/qmail/smtptx \
       '+*' '-@* server:[*' '-@* client:[*' /var/log/qmail/smtp 2>&1
 4) # qmailctl start && qmailctl cdb
 5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal
Start fail2ban # systemctl start fail2ban
Script to check blocking
# tee -a /usr/local/bin/f2bstat<<EOL
#!/bin/bash
for JAIL in qt-sub-passfail \\
            qt-sub-usernotfound \\
            qt-smtps-passfail \\
            qt-smtps-usernotfound \\
            qt-smtp-authnotavail
do
   fail2ban-client status \$JAIL
   echo ""
done
EOL
Set permissions & run script (w/output sample) # chmod 755 /usr/local/bin/f2bstat && f2bstat
qt-sub-passfail:
Status for the jail: qt-sub-passfail |- Filter | |- Currently failed: 1 | |- Total failed: 1 | `- File list: /var/log/maillog `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
qt-sub-usernotfound:
Status for the jail: qmail-submission-usernotfound |- Filter | |- Currently failed: 7 | |- Total failed: 7 | `- File list: /var/log/maillog `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
qt-smtps-passfail:
Status for the jail: qmail-smtps-passfail |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/maillog `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
qt-smtps-usernotfound:
Status for the jail: qmail-smtps-usernotfound |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/maillog `- Actions |- Currently banned: 2 |- Total banned: 2 `- Banned IP list: 5.34.207.174 212.70.149.72
qt-smtp-authnotavail:
Status for the jail: qmail-smtp-authnotavail |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/qmail/smtptx/current `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
Note
Basic commands
- Check banned IPs:
Format: fail2ban-client get 'jail' banned # fail2ban-client get qt-smtp-authnotavail banned ['xxx.xxx.xxx.xxx', 'yyy.yyy.yyy.yyy',...,]
- How to unblock an IP(s):
Format: fail2ban-client set 'jail' unbanip xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy ... # fail2ban-client set qt-smtp-authnotavail unbanip 192.168.1.105 192.168.1.112 192.168.1.119 3
- How to block an IP(s):
Format: fail2ban-client set 'jail' unbanip xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy ... # fail2ban-client set qt-smtp-authnotavail banip 192.168.9.105 192.168.1.112 192.168.1.119 3
- Help:
# fail2ban-client -h
References
[1] fail2ban homepage: http://www.fail2ban.org